CVE-2024-32002: 
vulnerability analysis and mitigation

Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4 contain a critical security vulnerability (CVE-2024-32002) where repositories with submodules can be crafted to exploit a bug in Git. The vulnerability allows attackers to write files into the .git/ directory instead of the submodule's worktree, enabling the execution of malicious hooks during the clone operation before users can inspect the code (GitHub Advisory).

The vulnerability exploits a case confusion issue on case-insensitive filesystems that support symbolic links. When performing recursive clones, the attack involves first initializing a submodule, then replacing its parent directory with a symbolic link into the .git/ directory. The second stage of the recursive clone would then write hooks that are immediately executed (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows for remote code execution during the clone operation, giving attackers the ability to execute arbitrary code before users have an opportunity to inspect what is being executed. This poses a significant security risk as it could lead to system compromise through malicious code execution (GitHub Advisory).

The vulnerability has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, users can disable symbolic link support in Git by using the command git config --global core.symlinks false. Additionally, it is recommended to avoid cloning repositories from untrusted sources (GitHub Advisory).